Am 11.04.19 um 13:35 schrieb Mark Cairney:
Hello Mark,
> However based on our understanding of how SSL works we should only
> actually need the intermediate(s) in there as the client should have the
> root and then compare the intermediate provided by the server and only
> trust it if it can use this in conjunction with it's copy of the root
> certificate to complete the chain of trust.
>
> Based on this we configure our web servers to only have the
> intermediate(s) in their chain (and in fact SSL Labs marks you down if
> you have the root in there too).
That's best practice for *any* TLS server.
have a look at https://www.openldap.org/its/index.cgi?findid=8586
With the referenced patch I can setup
TLSCertificateFile /path/to/cert+intermediate.pem
TLSCertificateKeyFile /path/to/privkey.pem
I have no TLSCACertificateFile at all because I don't use certificates
to authenticate ldap clients...
> Of course we do realise LDAP is not HTTP!
I think, it *is* very similar...
Andreas
